The spy in your inbox

One PR company—and its tracking program—creep out an Ars writer.

Everything on the Internet is monitored in some way. Companies track what you do at work through deep packet inspection to make sure you don't wander into territory forbidden by company policy, or dump corporate data to a remote server just before you give notice. The Web pages you visit and the HTML-based mass e-mails you open are logged and tracked by advertisers and marketers. And your boss can tell if you've ever opened that urgent message or not.

But people usually don't throw it in your face and shatter whatever remaining illusions of privacy you might have, as someone did to my colleague Andrew Cunningham today."Oh, man, a PR person was just totally creepy at me," he interjected over IRC this morning.

The "creepy" was an e-mail that a media representative for a company called ContactMonkey sent on the heels of another one Cunningham had just opened. The second message included information about his location, the e-mail client he had used to open it, and the exact time it had been opened.

The Outlook plug-in toolbar for ContactMonkey's Bridge.

The message and the data were a demonstration of Bridge, a $5-a-month service that installs a plugin for Microsoft's Outlook 2010 mail client and for Google's Chrome browser for use with GMail. Bridge gives anyone the power to know those details for any message they send—or at least any message that lands in the inbox of someone who trustingly opens e-mails without blocking HTML-embedded images.

Invisible sprites

That's because Bridge uses an embedded graphic with a unique Web address to track each message. That Web address includes calls to ContactMonkey's tracker API, which include a message identifier and the e-mail address of the sender. When the recipient opens a tracked e-mail, it sends a secure Web request back to ContactMonkey's server identifying the message, and the server records the IP address that the message was opened from and the date and time. Then it pushes back data to the sender, including how many times the message was viewed, the geographic location it was viewed at (based on the IP address), and the type of client it was viewed from (based on what the mail client reports as its type when it makes the HTML request).

The HTML code that embeds the tracking graphic in Bridge-bugged email messages (address of sender obscured).

Using graphics to collect metrics is an old hack, going back to the "sprites" used on many early personal Web pages to track page views. Web request based tracking is also heavily used by both legitimate large-scale e-mailers and spam factories to collect information such as when and where e-mails are opened, and to test the "hit rate" for various subject lines and offer teases.

But ContactMonkey gets even more personal about it, because it identifies each recipient explicitly, and reports back directly on them. It's a technique akin to those used by some "spear-phishing" attacks to inject code into e-mails—no, it doesn't execute code on the client. But it does create a way to collect information that might be useful for stalking someone.

Sweeping for bugs

There's an easy way to block this sort of tracking with most mail clients. Microsoft Outlook, for example, will allow users to block embedded graphics in e-mails from all sources, or only display them in e-mails from sources in the user's contact list. Most companies will set their mail systems to block HTML-embedded objects in messages for security purposes.

Users of Apple's Mail app have a little less fine-grain control—unchecking "Display remote images in HTML messages" in Mail's "Viewing" preferences blocks all HTML-embedded images from loading when you open a message. But that's not the case with some mobile and Web-based mail clients—the iOS Mail app and Android 4's built-in mail client, for example, both open HTML enclosures by default. That means if you open a bugged e-mail from a mobile device, the sender will be able to get information on where you are based on whatever IP address gets associated with your phone or tablet, whether it's via Wi-Fi or your cellular provider.

If you do get tracked and discover it, however, there are some interesting ways to disrupt the tracking. For example, you could clip the tracking tag from the email and post it as a graphic or link on a website.

But that something like Bridge can be so easily blocked, and that it takes advantage of technologies that most business users may consider to be a security threat, should be enough to discourage most legitimate users from trying to use the service. After all, it's really just a sneaky way of doing the same thing that a Return-Receipt-To e-mail header does, without giving the recipient a choice. And very few legitimate mass-mailers generate their e-mails from Outlook or GMail.

So that makes Bridge the provenance of a very narrow strip of users, one that includes stalkers, private investigators, ex-spouses and high-pressure salespeople—and the occasional public relations consultant.

Promoted Comments

I've worked (subcontracted) for a company that does this - while I agree with the creepy factor, it's not new by any stretch of the imagination, and it's as easy to block as toggling images off - in gmail you can do this on a person by person basis.

The hard part where I worked was explaining the limitations of it - about 10-15% of people in fact do have that toggled off, and it's hard to get people to understand that it's *just* a 1x1 transparent pixel downloaded from a carefully configured URL, and even then they would decide to hack the html themselves and not understand that you had to do it just right to be sure it would be (if not explicitly blocked) downloaded the same way by Thunderbird (It has to be valid HTML - Great) Outlook (it has to be in the body and not CSS - Okay) or god help you Lotus Notes (It has to be in the Body, not in CSS, not referenced in the wrong way, and you must three times properly enunciate the traditional mantra in the dark of a new moon in accordance with the ancient rites. DIE LOTUS NOTES DIE DIE DIE!!!).

Why is this at all surprising? This is the future of Internet services and anyone who thinks otherwise is simply naive.

It's the past of internet services. Blank 1x1 images have been used for at least a decade, probably longer, to track these kinds of things. The only thing surprising is how ineffective it is - it would be much simpler to embed all information, including email addresses, in the encoded string - and how it automates the tracking for users.

But ContactMonkey gets even more personal about it, because it identifies each recipient explicitly, and reports back directly on them.

They're tracking the fact that you downloaded an image from a url they own, and then they connect that request back it to an email they sent. Everyone involved in email marketing (who is competent) does this. They also track if you forward the message to anyone. It's no more nefarious than reading your own "To" field in an email and running Google Analytics on your website.

If you want to prevent people from knowing you've opened an email then turn images off...Gmail does this by default.

Why is this at all surprising? This is the future of Internet services and anyone who thinks otherwise is simply naive.

It's the past of internet services. Blank 1x1 images have been used for at least a decade, probably longer, to track these kinds of things. The only thing surprising is how ineffective it is - it would be much simpler to embed all information, including email addresses, in the encoded string - and how it automates the tracking for users.

I we call them web bugs instead of "sprites", it might ring a few more bells with people, and raise flags about why it might matter. Of course, if you're the type to install such plug-ins and toolbars, chances are you won't recognize either term.

You kind of have to work at it to not block it. Under Settings > Inbox there's a section called "External content". You can have it always load for "trusted senders" (whom you'll identify when they send you emails with external content) or you can set it to _always_ prompt you before loading external content (e.g. embedded images), regardless of sender.

And by being creepy, the PR flack bought him/herself an article on Ars to promote this service. No doubt some people (sigh) are reading this article and thinking "I could totally use this to help me send more email to sell whatever enterprise nonsense I'm hawking this month." Sounds like you fell for it hook, line, and sinker.

Thinking about the plug-ins: ever used an anti-virus plug-in for Outlook, or a browser? Perhaps some of the same principles apply: just because the browser or e-mail client doesn't render the image doesn't mean that the plug-in can't detect it, just as an A-V scanner plug-in would, and do its thing by phoning home. This is conjecture - I don't know how the plug-ins/tool-bars are coded, and don't really want to find out. I'm just saying that the more conventional blocking techniques may or may not work, depending on the client code.

You kind of have to work at it to not block it. Under Settings > Inbox there's a section called "External content". You can have it always load for "trusted senders" (whom you'll identify when they send you emails with external content) or you can set it to _always_ prompt you before loading external content (e.g. embedded images), regardless of sender.

Mine was defaulted to "trusted senders", but I don't ever remember changing it. However, they say this about who is "trusted":

Quote:

But, if someone you've sent email at least twice sends you a message with images in it, you’ll see the image by default (because the people in this group are likely people you know and trust). We'll only show images in messages that are authenticated, so you won't have to worry about seeing images in messages where the sender's name or address is spoofed. If you’d like, though, you can change your settings so that images from these senders won’t be shown by default either. Here’s how:

So only people *you* email (at least twice) get added to "trusted" list. That seems pretty reasonable, though the limit could be a little higher IMO. Also, I can't find a way to see which "trusted" senders I have as a result of this policy, though it seems there are options when viewing a message by clicking "more details". Ideally I'd like some way to simply add/remove contacts from the trusted list.

This kind of tracking is utilised within the campaign monitor email marketing system. Cool but totally creeps clients out at first. They use a 'live' map that you can watch the pins pop up as people on the email marketing open up the email, it also notes the number of times viewed.

I've worked (subcontracted) for a company that does this - while I agree with the creepy factor, it's not new by any stretch of the imagination, and it's as easy to block as toggling images off - in gmail you can do this on a person by person basis.

The hard part where I worked was explaining the limitations of it - about 10-15% of people in fact do have that toggled off, and it's hard to get people to understand that it's *just* a 1x1 transparent pixel downloaded from a carefully configured URL, and even then they would decide to hack the html themselves and not understand that you had to do it just right to be sure it would be (if not explicitly blocked) downloaded the same way by Thunderbird (It has to be valid HTML - Great) Outlook (it has to be in the body and not CSS - Okay) or god help you Lotus Notes (It has to be in the Body, not in CSS, not referenced in the wrong way, and you must three times properly enunciate the traditional mantra in the dark of a new moon in accordance with the ancient rites. DIE LOTUS NOTES DIE DIE DIE!!!).

It would make much more sense for images and other reasonable-size non-text content to be embedded in the email, perhaps as a separate part per image of multipart content emails that are then referenced in the HTML or less efficiently, stuffed in base64-encoded URLs.

Or perhaps a popular mail server could always fetch external images as soon as the email is received, not read, and passing that along to the email client, thus giving the sender no information about whether the email was read.

Why is this at all surprising? This is the future of Internet services and anyone who thinks otherwise is simply naive.

As long as a law isn't being broken, anything goes with your personal data and behavior. Expect far worse as time goes on.

Before laws existed, most folks followed a social mores system.

Sadly, more and more folks are feeling the way you do ... if there's no law broken, then it's fair game. There's a difference between "legal" and "moral". And, the sad thing is, we have to pass more and more laws just to legislate what should be obviously immoral.... or at the very least creepy as hell.

A long time ago, I wrote a little java program that filled this kind of thing with random garbage. As in, making a zillion requests with randomized data.Ran it for a bit, but got bored, as there was no feedback of the damage done... Heh.

Thunderbird has generally been good about this. I believe it defaults to only showing you images for people in your contact list. It is even a bit zealous about the protection and labeling emails as potential scam emails.

I just assume any time I get an email from a retailer or political campaign, and I hit the show image button, that they are tracking it. If nothing else, they are probably keeping a log of the ip addresses that access their image server.

Yes this is very old tech and this company is aggressively rolling out their interpretation of it. They actually called me a few months ago to try and sign my agency up to their service. Some interesting ideas. We don't use them though.

... or god help you Lotus Notes (It has to be in the Body, not in CSS, not referenced in the wrong way, and you must three times properly enunciate the traditional mantra in the dark of a new moon in accordance with the ancient rites. DIE LOTUS NOTES DIE DIE DIE!!!).

Amen brother, having worked at IBM and having to use Lotus Notes, wow it's got to be one of the most frustratingly annoying pieces of software ever created, then mangled into pure chaos, then rewritten in java to make it slower....

Once upon a time, this was a big part of spam. Embed, see which requests come though, and bam! They know which addresses are valid. And that's why now every email system automatically blocks html images in spam.

Though now that sending the spam is virtually free with botnets, they don't bother and just flood every address.

Is this because your tracking stuff doesn't work when the recipient uses Notes? Because Notes automagically blocks image downloads, but provides an easily accessible link to enable images for those who want?

I have several choices of email client, most of them free. I pay IBM $$ per year to use Notes.

As part of the conversation about "trusted senders" I feel it's important to remember that this company is selling to the sender; if Grandma (or Ars) is paying them and Grandma (or Ars) is on your trusted sender list then you're going to be tracked using this method.

Please correct me if I'm wrong. Or if I used that semicolon incorrectly.

I totally know what to do if I ever get one of these and decide I want to screw with the sender's head. I'd go in and get the path of the international space station, then see about getting certain contacts to click on a certain link, in a certain sequence, over the course of a day.

Why isn't there a setting in e-mail clients to automatically reject images less than X by Y in size?

Funny, I told someone how to do this the other day because they wanted to track down an anonymous poster on a forum who was linked with a real-world physical attack on a friend of mine.

But what concerns me more about HTML/CSS and worse: Java-enabled mail clients. Is that the drive-by attacks we see online, can be migrated to e-mail. I hope everyone has their preview panes turned off.

Disclosure: I work in marketing and I use email tracking reports offered by our ESP.

This is nothing new - the stats like these have been collected by email marketers for a while and, to some extent, they're less intrusive than the stats collected by your average web analytics tool. You've just been a victim of a hard sell, nothing more.

Every self-respecting email marketing provider offers stats like these and even more. Have a look at Litmus, for example.

The service that did creep me out a bit several years ago was ReadNotify - they used all kinds of stuff (like BASE64-encoded images and embedded audio files) to track "engagement" metrics.

As a marketer, I appreciate the tracking that's offered to me by my ESP - this lets me do my job better and understand what my customers want from me. However, I do respect my customers' privacy as much as I respect mine and certainly wouldn't use things like KISS Metrics.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.